Former Uber exec sentenced for covering up data breach

Sign with logo at the headquarters of car-sharing technology company Uber in the South of Market (SoMa) neighborhood of San Francisco, California, with red vehicle visible in the background parked on Market Street, October 13, 2017. (Photo by Smith C

A federal judge in San Francisco on Thursday imposed a sentence of three years' probation on the former head of security at Uber for his role in covering up a data breach that allegedly exposed the personal information of more than 50 million riders and drivers.   

Prosecutors from the U.S. Attorney's Office in San Francisco had asked U.S. District Judge William Orrick to impose 15 months imprisonment for Joseph Sullivan, 54, arguing that "probationary or token prison sentences for corporate executives in general undermine respect for the law ... and disregard the core principle that all defendants are equal before the law regardless of their position and power."   

The sentencing comes after a four-week jury trial in 2022 in which Sullivan was found guilty on one count of obstruction and one count of "misprision," or actively concealing a felony.   

Sullivan lives in Palo Alto and has deep connections in the Silicon Valley tech universe.   

He was trained as a lawyer at the University of Miami and came to the Bay Area in 1997 to work in the U.S. Attorney's Office in San Francisco, the same office that 25 years later would lead his prosecution.   

In 2002, he was hired away from the U.S. Attorney's Office, where he was prosecuting high-tech crimes, to join eBay Inc. as senior director of trust and safety, a position that involved combating cyber-crime, often in close cooperation with law enforcement.   

Four years later, he moved from eBay to PayPal Holdings Inc. to lead the company's North American legal team. According to his court filing, "During this time, Mr. Sullivan also emerged as a public face for the cybersecurity industry, championing safety measures that thwarted phishing attempts."   

In 2008 he jumped to Facebook Inc., where served as chief security officer overseeing the company's security team, a group that grew from 10 people to 130 during his tenure. While he was at Facebook, the company's platform had explosive growth and Sullivan dealt with new and cutting-edge cyber-security issues.   

Uber Technologies Inc. hired Sullivan as Uber's chief security officer in April 2015.   

When he arrived, the Federal Trade Commission was investigating Uber for a 2014 data breach that compromised about 50,000 consumers' personal information.   

In supervising the company's responses to FTC investigators, Sullivan gave testimony to the FTC on Nov. 4, 2016 about the company's data security practices, including the steps Uber had taken to keep customer data secure.   

Ten days after that testimony, Sullivan learned that Uber had been breached again, this time by hackers who demanded a ransom in exchange for deleting the data, which included records on approximately 57 million Uber users and 600,000 driver's license numbers.   

According to the prosecutors, Sullivan "almost immediately recognized that this second breach revealed that Uber's prior representations to the FTC about encryption practices and the scope of Uber employees' access to such data -- including those [Sullivan] had made under oath -- had been false."   

Featured

Former CEO at tech startup pleads guilty to falsifying revenue to fool investors

The former CEO of a Sunnyvale-based tech startup pleaded guilty in a San Francisco federal court Thursday to charges related to defrauding investors.

Sullivan then allegedly worked to cover up the breach, arranging to pay off the hackers in exchange for non-disclosure agreements and allegedly blending the transaction into the company's so-called "bug bounty program" in which the company compensated outside people for finding problems with the company's code.   

Uber paid the hackers $100,000 in Bitcoin in December 2016.   

In the fall of 2017, Uber's new management began investigating the 2016 data breach and it was eventually disclosed publicly and to the FTC. According to prosecutors, the FTC's lead investigator said that when Uber's counsel finally informed him of the breach in November 2017, it was "probably the single most frustrating experience that I had at my time at the Federal Trade Commission."   

After Sullivan was convicted, his lawyers, as is customary in these cases, prepared a "sentencing memorandum" to point out to the judge the reasons why leniency -- in this case a sentence of probation -- was appropriate.   

The memorandum argued that Sullivan had been a hard-working, unassuming professional throughout his career, always working to protect customers and the public against harm. He was a family man and a mentor to young people. He worked to aid disadvantaged youth and support freedom fighters in the Ukraine.   

He had also engaged in public service and was a leader in the cybersecurity area. The memorandum noted that in 2016, President Barack Obama appointed Sullivan to the President's Commission on Enhancing National Cybersecurity.   

Sullivan's filing included a vast number of letters of support -- 185 according to his lawyers -- from family, friends, colleagues and others who know him and wanted the judge to extend him leniency. They included a letter signed by 60 cybersecurity professionals and another from more than 40 chief security officers.   

The letters were intended to support the argument that "Joe Sullivan has lived an exemplary life marked by hard work, integrity, and a commitment to doing the right thing."   

The government's sentencing memorandum turned many of Sullivan's arguments back against him.   

The prosecutors said that they did not "dispute any of Defendant's good deeds or general moral qualities as reflected in the many letters submitted on his behalf."   

Related

Oakland's ransomware attack intensifies as city struggles to respond

The scope of the City of Oakland ransomware attack has widened, as the personal information of some residents was also compromised, according to officials.

But then they said "Those same moral qualities only underscore that Defendant knew how wrong his conduct was."   

And as for the volume of letters provided to the court, prosecutors said, "White-collar defendants in general, and successful corporate executives in particular, will almost always have deep networks of supporters to call upon in difficult times. One does not become an executive at a company like Uber without having such a network."   

The letters, prosecutors argued, "only underscore Defendant's extraordinarily privileged position among the many individuals the Department of Justice prosecutes ... They mainly demonstrate that Defendant is a wealthy, powerful man, with a strong network of family and friends that has benefited him throughout his life."   

The government then employed its harshest rhetoric, noting that an undocumented drug dealer sentenced in federal court "is unlikely to have had the opportunity to whitewash his criminal record by volunteering to help war-torn Ukrainians, nor the network or resources to make an extensive showing of other good deeds in his life."   

Sullivan wrote his own five-page letter to the court in which he said he accepted responsibility for his actions and recognized that he had hurt many people. He apologized.   

He closed the letter saying, "I won't let the mistakes I made happen again on my watch. Ever. And I want to dedicate my life to making up for it."   

Judge Orrick came down on the side of probation, adding a $50,000 fine and 200 hours of community service to the sentence.